Top 5 Mac Security Tips for the Holidays

by Matt

Black Friday has come and gone. Cyber Monday is now in the mirror. Can we Mac users feel safe now feel safe from identity theft, hacking, and viruses that always find ways to ruin some of our Windows friends’ holiday season? While using a Mac may provide some cyber protection, there are plenty of steps we all can take to ensure that our days shopping and traveling will leave us feeling merry.

Traveling in a Winter Wonderland

During the holidays, many of us are flying or driving to see loved ones. We take our laptops and iPhones with us wherever we go, but our portable lives expose us to security threats we may not fear at home. Here are a few tips to keep your data protected while on your journey.

Tip #1: Consider using Apple’s FileVault. FileVault is a technology built into Mac OS X Leopard that allows a user’s home folder to stored on an encrypted disk image rather than as a group of folders on the hard disk. Why is this a big deal? All of your sensitive data, such as bank passwords, emails, and browser cookies are stored in your home folder. If someone were to steal your laptop, they could boot from a Mac OS X restore disc and reset your user password (or go a step further and remove the hard drive from your machine to gain access to the files). With the new password, they can simply log in to your account and access all of the data. File Vault encrypts (or scrambles) that data so that it is completely unreadable with the password. File Vault also prevents a thief from resetting the password to gain access to the files.

While the majority of Mac users have never heard of FileVault, many who do know about the technology fear it, or worse, revile it. When FileVault made its debut in 10.3 Panther, it “worked,” but I know many people who lost data due to a buggy implementation. File Vault was refined in 10.4 Tiger and further improved in 10.5 Leopard. While no software implementation is perfect, FileVault does a great job of protecting your data. To turn it on, go into your System Preferences and select Security:

Then select the FileVault tab at the top.

Next, assuming you do not have a master password set for the computer, select the button to select a master password. This is a password that can be used to reset the password of all the accounts on your computer. It’s likely you are the only user, so this will be less important, but if you have multiple FileVault accounts on one machine, this password lets you reset any of them.

Finally, click to turn on FileVault. You must have enough free space on your computer to do this. How much? You need roughly the same number of gigabytes of free space as you are using for your account. Thus, if you account is 8 GB, you’ll need at least that to turn on FileVault. If FileVault can be turned on, you’ll be logged out of your account and the conversion process will begin. This can take anywhere from a few minutes to several hours. Be patient! You only have to do this once. Once completed, you will have to log into your account, and the decryption process will be seamless. Tip: When users’ home folders are too large, this is usually because they have huge iTunes collections. One solution is to go to iTunes and change the location of the iTunes folder to the Shared folder in the Users folder. Then, from iTunes’ File menu, choose Library–>Consolidate Library to move the files. While this will leave your iTunes collection unprotected, you may not care about people simply getting ahold of your music.

Tip #2: Use Secure Virtual Memory (along with other precuations). As long as you’re still in the Security System Preference, you should click on the General tab, where there are five additional high-security precautions you can take. I have ranked these from 1-5 in terms of most paranoid protection to least paranoid protection. If that’s the case, why am I first recommending to turn on secure virtual memory if that’s for the most paranoid? Because FileVault is not secure without secure virtual memory.

The reason for this is because your computer stores everything you type (and everything you read) in temporary memory (called virtual memory). Without checking the “Use secure virtual memory” box, anything you type or read, if it is still in memory, will be plainly visible to someone who knows how to read it. Thus, if someone steals your machine, it is possible the password you typed to log in (or anything else you typed) might be readable. Using secure virtual memory will scramble even this temporary memory, giving you much more protection.

You are free to use any of the other check boxes as well. Doing something as simple as disabling the automatic login (so that you have to put in your password to get to the Desktop) goes a long way. Many people who steal laptops simply want to turn around and sell them. Either they or the buyer will wipe the hard drive, but if you’re letting them go straight to the Desktop, even the most novice thief may be willing to poke around your files to see what he can uncover.

Tip #3: Set an Open Firmware/EFI password. This tip is not just valuable in the face of holiday theft: it is great for computer lab administrators or even parents who don’t want to let a knowledgeable user gain too much access to the computer. If you set this password, you will need to enter it each time you boot your computer. This prevents a user from booting the computer from a CD/DVD, external hard drive, network drive, or the boot drive until the password is entered.

If you’re running 10.4.x, you must copy the Open Firmware Utility to your Utilities folder. It is on your 10.4 install/restore disc (first restore disc) and is located in the /Applications/Utilities folder.

If you’re running 10.5.x, you must boot from the Leopard install/restore disc and choose Firmware Password Utility from the Utilities menu.

Note that you should try to physically secure your machine (obviously tough to do if you have a laptop). Someone can still get access to your data if they physically remove the hard drive. But for people in homes or labs, this provides a moderate level of protection. For a more thorough explanation of this utility, you can read Apple’s kbase article on the subject.

Tip #4: At least install anti-virus software. Yes, it’s true that Macs are less vulnerable to viruses than PCs are. There have been some “experimental” or “demo” viruses on Mac OS X that have not been released into the wild to any large degree, but other than those, there’s virtually no way to put Mac and virus in the same sentence. That being said, there are still valuable reasons to use anti-virus software.

First, as was covered here, here, here, and here (and even here), Apple is now recommending that Mac OS X users install anti-virus software. [Note: Since the above articles were published over the last 24 hours, Apple has removed its knowledgebase article on the subject.]

Second, anti-virus software provides an ounce (or ~28g) of prevention. AV software is updated regularly and even more frequently when viruses are released. By having up-to-date software already installed on your machine, you will be better prepared in case a more serious Mac virus is released. While I understand the philosophy of downloding AV software once a virus makes the headlines, that only works if you’re lucky enough to not get the virus before you download the AV software. Is that laziness really worth it, especially when …

Third, there is the excellent and freeClamXAV anti-virus software. ClamXAV uses the open source Clam engine, available on Mac OS X, Windows, and of course Linux. You can scan your entire HD, watch susceptible folders (like your Downloads folder), or easily scan individual files in the Finder. Download it, install it, be done with it.

Fourth, you can still transmit viruses to Windows users if you receive a file with a Windows virus. Simply transferring an infected file from Windows to Mac does not remove the virus. Since it is common to release viruses around the holidays and even more common to exchange Office files and photos and movies of holiday events, it’s worth inspecting the files you exchange with Windows users.

Tip #5: Lock down your iPhone. It will come as no surprise that iPhones are big theft targets this holiday season. While I can’t offer advice on how to prevent iPhone theft, I can tell you how you can prevent thieves from running up your phone bill once they’ve stolen it.

First, you need to turn on the SIM PIN. You can do this by navigating to Settings -> Phone -> SIM PIN. From here, you can create a PIN number that will be entered each time you turn on your phone to gain access to incoming and outgoing calls and data. A few notes:

Don’t forget your PIN! Turning off the PIN number does not erase the number; the next time you turn it on, you’ll need to enter the same number before you can change it. (Click here to see what your service’s default PIN is.)

Once the PIN is deactivated while the phone is on, you can’t reactivate the lock until you turn the phone off again.

There’s another reason I love this feature: international travel. When I travel internationally, I turn on the SIM PIN and turn off my phone when boarding the plane at the domestic departure. That way, when I arrive overseas, my phone never connects to the local phone service (that way, I’m not paying for international data, voice mail, or text messages). I can still use the phone’s applications and WiFi.

Second, you can turn on the Passcode Lock. How is this different? Well, for starters, it’s both more and less secure than the SIM PIN. It’s more secure because you will have to enter the passcode after a period of inactivity (that you set) to do anything (make calls, use applications, use the iPod feature). When you become inactive again, the passcode turns back on. Thus, it’s a great way to prevent any access to your phone.

It’s also less secure, though: Without a SIM PIN, a thief could take your phone home and restore the iPhone to factory settings, then make all the calls he wants. While he won’t have your data, he’ll use your minutes. Using both PINs give you the best security. You can access the passcode lock by going to Settings -> General -> Passcode Lock.

Other Tips?

There are many other things you can do to protect your computer and its data during the holidays. Consider installing theft recovery software like Undercover or MacTrak so that if your laptop is stolen, you might be able to see its location and new owner. Make sure your user account is password protected. Turn off Bluetooth on your iPhone to prevent unauthorized access.

What do you think of these tips? Are any more or less valuable than others? Do you have stories or tips you can share from past holidays to help others? Let us know in the comments.

Make sure you update to 10.5.5 if you haven’t done so because Apple has made improvements in the way Time Machine handles encrypted backups.

You do not need to erase your backups at all. What will happen is your existing data will eventually be deleted by Time Machine within the next month, as it sees that your old user folder no longer exists in the “normal” fashion but is now an encrypted disk image.

Encrypted disk images do take longer to backup because they are backed up in “slices.” Let’s say your home folder takes up 10GB of space. Your disk image is likely backed up via 5 slices of 2GB. What this means is if your data has changed by 1KB-1.99GB, Time Machine must back up a whole 2GB slice, rather than the exact amount of data that has changed.

While you are logged into your FileVault account, Time Machine will not back up your data. It only backs up your data while you are logged out of a FileVault account. Thus, there are some trade-offs using FileVault with Time Machine. You might have a look at this great Mac OS X Hints article for more on the subject.

The only viable attack vector for Mac viruses is user ignorance. Apple has taken every possible precaution in this case (file quarantine + many warnings), but if you really can’t tell when not to download and run a piece of software, here’s security tip #6: use the guest account and forget your admin account password. Or, better yet, sell your computer and get a typewriter.

The rest of these tips simply combat physical access to your machine. FileVault and secure virtual memory require a lot of CPU and disk overhead, which can really make your machine drag. A better idea is just not to let people steal your laptop.

And, how exactly does someone compromise your iPhone via Bluetooth? Even if they did manage to work their way around pairing, iPhone doesn’t even support OBEX.

“Tip #3: Set an Open Firmware/EFI password. This tip is not just valuable in the face of holiday theft: it is great for computer lab administrators or even parents who don’t want to let a knowledgeable user gain too much access to the computer. If you set this password, you will need to enter it each time you boot your computer.”

This is not true, at least I have not found it to be true. You do not need to enter the password each time you boot your computer. Read the Apple KB article you included in the post. You only need it when trying to use means of booting other than normal hence why user names and passwords are critical over auto login.

Leave a Comment

Name *

E-mail *

Website

Notify me of followup comments via e-mail

To reduce spam, please enter the characters from the image below before clicking Submit. *